The parent company of the Canadian Sobey’s and FreshCo supermarket chains says the direct and indirect costs from last year’s cyber attack could add up to over $54 million, not including insurance payments.
Empire estimates, based on available information, that the final impact on net earnings over fiscal 2023 and fiscal 2024 will be approximately $32 million, net of estimated insurance recoveries.
The numbers are included in the latest quarterly results issued today by Empire Co.
Direct impact of the November attack on the company’s net earnings are estimated at $39 million after an unspecified amount of insurance payments are received. In addition, the estimated cost of related sales and impacts such as the temporary loss of advanced planning, promotion, and fresh item management tools, temporary closures of pharmacies and customers’ inability to redeem gift cards and loyalty points is $15 million.
To put that in perspective, IBM estimated the average cost of a data breach to a Canadian organization was $7 million.
The quarterly report refers to the attack as a cyber incident, although Bleeping Computer says evidence suggests the company was hit by the BlackBasta ransomware gang.
“Empire is in the process of working with its insurance providers to make claims under its policies,” the quarterly financial report says in part. “Due to the complexity of the cyber insurance coverage and related claims, there will be a time lag between the initial incurrence of costs and the recognition of insurance proceeds. While the impact of the cybersecurity event is substantially behind the company, management expects that there will be some additional costs incurred after the third quarter of fiscal 2023.”
What the financials call the “cybersecurity event adjustment” — the $39.1 million — includes the impact of incremental direct costs such as hardware and software restoration costs, legal and professional fees labour costs and inventory shrink.
“Management believes that the cybersecurity event adjustment results in a useful economic representation of the underlying business on a comparative basis,” the report says. “The adjustment does not include management’s estimate of the full financial impact of the cybersecurity event, as it excludes the net earnings impacts related to the estimated decline in sales and operational effectiveness from impacts such as the temporary loss of advanced planning, promotion and fresh item management tools, the temporary closure of pharmacies, and customers’ temporary inability to redeem gift cards and loyalty points.” That would be the estimated $15 million.
